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And on the horizontal axis is time.
And if you look here in the center, you can see that right around the 14th century,
the population of Europe was abruptly nearly cut in half.
So essentially one out of every two people dropped dead all throughout Europe,
and this was all from a single pathogen.
It took several years for the population to recover,
but even longer for civilization to recover
because this virus caused famine and unemployment and widespread civil war.
What happened is the rich nobles severely suppressed the poor people,
and the whole process set civilization back about 1,000 years.
There's a more recent biological virus that destroyed a civilization, and that's smallpox.
And smallpox was brought over by the Europeans when they invaded
or when they exploited Europe.
They explored the New World.
Now the problem is that the Native Americans had no immunity to smallpox.
The Europeans had been building up immunity for years,
but when they brought it over, the Natives had no resistance,
so it basically killed all of them.
And 95% of the population of Central America and Mexico was wiped out literally in a few years.
And that's almost overnight in the terms of global timescale.
And 50% of North America was wiped out.
So the Europeans basically walked into an empty continent.
There were no warriors left to defend this continent, just a handful.
That was the end of their civilization.
Now, none of you have ever seen a case of this in your lives.
This is a picture of smallpox, and this is caused by the virus.
Now, this has actually been eradicated from the earth,
and the reason you haven't seen it is because it's a virus.
And this is because we came up with a good vaccine to cure it.
And we're going to show why this is important with our computer virus vaccine later on.
Now, when the smallpox vaccine first came out, it was extremely dangerous,
and a lot of people that took the vaccine died.
So people were violently opposed to any concept of a vaccine.
But with time, the vaccine was improved,
and by 1977, the World Health Organization announced
that smallpox was cured.
There was no more smallpox left in the world.
The only sample is in a very tight security government research station,
and they keep it there under observation.
And probably a few other countries have a sample as well.
So getting back to our computer virus, why do we need a vaccine?
Well, we've seen that any attempts at antivirus,
or any other program so far, have been limited.
And we saw that with the I Love You virus,
which failed to prevent a global infection
that brought the internet to its knees.
There's also been attempts at digital immune systems.
For example, IBM Corporation came up with a digital immune system
where they were able to pick up samples of viruses in the wild
and automatically extract signatures
and then send that patch back out
to their subscribers.
So this is kind of an encapsulated digital immune system,
but it's not really a true vaccine for the entire internet body
because they're not really using a virus.
They're using just purified code.
And so what we've shown is from history and medicine
that vaccines are very necessary and they're inevitable
if we want to prevent global catastrophe.
We need some kind of holistic solution.
Well, unfortunately there's problems
to any kind of idea of a vaccine.
And number one among that is the antivirus community.
The antivirus or AV community hates virus writers.
They really, really hate you guys.
And you can see that by going on news groups
such as alt.comp.virus.
And you can see the arguments go back and forth.
And it's kind of funny to read it sometimes
because you see the two sides arguing,
but you realize,
from an objective point,
that they're really not that far apart,
yet they're so violently opposed to each other.
Now, we can counter the AV corporation's arguments
by looking at medicine.
And for them to say there's no such thing
as a good virus is ridiculous.
For example, every day doctors inject kids
with deadly viruses when they give vaccines.
The poliovirus vaccine, for example,
is a real virus.
It's live.
It's just attenuated.
So you're getting the real virus.
And this falls under a utilitarian model.
Utilitarianism says that you should do the greatest good
for the greatest number of people,
for those of you that study ethics.
And this is the model that society allows the government
to do this to us under.
Well, who will release this global vaccine?
And most importantly, don't try it yourself.
Because if you do,
it's highly illegal right now.
Spreading live viri will land you in jail.
Probably, as far as I can see,
the government right now would be
the only possible solution for that.
And for one thing,
they can do what they want and get away with it.
There's not much you can do.
You can't really sue the government.
Another benefit is they will indemnify you from harm.
Remember the poliovirus that all of you get
when you're young?
That's a real virus.
Now, if you...
Say your brother, when you're young,
gets the poliovirus vaccine,
and you don't get the vaccine for some reason,
you can actually catch live polio from your brother.
That's called vaccine-induced polio.
And it can kill you or paralyze you.
Now, what happens in that case
is the government will actually pay damages to your parents
for the damage you suffered.
That's little consolation, obviously.
But that's how the government works.
And that falls under a paternalistic model.
And paternalism means being fatherly.
In other words, society allows the government
to do what it wants because we think that it knows best.
And as far as I can see,
this virus vaccine we're talking about
would probably be released by a global epidemiology body
like the World Health Organization.
They would have to create a particular branch
made up of programmers.
Because you need somebody that knows how to track vaccines.
You need somebody that knows how to track vaccines around the world.
Well, finally, talking about the computer virus itself,
what characteristics does it need to have?
For one thing, the vaccine should be open source.
And the main reason for this is quality control.
Because we're releasing this vaccine globally,
we know that open source models
give a much higher level of quality control and debugging.
And number two, it should be international.
We can't have individual governments releasing vaccines
for an obvious reason.
For example, suppose China released a vaccine
but they were the only ones who had immunity to that virus.
That would be viewed as an act of war
by all the other countries.
So in order to prevent that situation,
it would have to be released internationally.
Third, the virus should be attenuated,
which basically means castrated.
You should take off part of its payload
or reduce its number of vectors.
What you're trying to do is create a virus
that will confer immunity without severe damage.
And finally, the vaccine should be live.
In other words, you need real replicating code.
Just to extract a virus signature
like virus scanners do right now,
we know that's not as good.
Think back to the polio virus vaccine.
That's why doctors use the real live virus in our bodies.
Okay, now here's your test for the day.
You guys go to school,
so you thought you were going to be free of tests this summer,
but you're not.
Who can tell me who said this quote?
If you can guess it, raise your hand.
Who's that?
Fred Cohen.
Okay, we have a guess for Fred Cohen.
Who agrees with that?
Actually, that's incorrect.
Anyone else?
Pardon?
McAfee.
McAfee?
Good guess.
You guys are going to be surprised
when you hear the answer.
That's not correct.
Let me read it.
It says that beneficial viruses are a simple solution
that's always wrong.
A virus is not bad or good based on its payload.
Viral propagation methods are inherently bad,
and giving them beneficial payloads doesn't help.
Who's that?
Bill Gates.
Close.
You're very close.
This was Bruce Schneier, actually.
He said this in a talk in September 2000.
He said that viral propagation methods are inherently bad.
So we all know Bruce, and we love him.
He's a regular here at DEFCON.
But you may want to ask him about this one.
Now, who knows which virus this is?
You guys.
You guys got to know this.
Very good.
The Jennifer Lopez virus.
Once again, using the power of just her behind,
this virus infected millions of computers.
People were tempted to open the I Love You virus
to get a glimpse of this.
Sorry, the Jennifer Lopez virus.
So just winding down here,
in 1997, Veselin Bontsev
wrote a famous paper about the 12 reasons
why there can never be a good virus.
And has anyone read that paper?
Raise your hand.
A couple of you.
Okay, I see there's some hardcore virus people out here.
Now, this was a very famous paper,
and for a couple years, this was the gold standard.
But then in April 1999,
a member of the Ultimate Chaos virus group
came along and utterly destroyed
these arguments,
and that author was midnight.
And if you read his paper, it's quite eloquent.
I'm not going to go into all his arguments right now,
but what we're going to do is present arguments
from a different angle,
saying why you can have a good virus.
And I just want to go through these 12 points very quickly.
Well, number one, the antivirus companies argue
that you can't have a good virus
because it takes away your control,
and you just feel helpless.
But actually,
we know that that's a good thing sometimes.
For example, there's certain vaccines doctors give
where it confers what's called herd immunity,
like a herd of sheep.
They know if they could only immunize 50% of kids in a class,
those 50% will infect their classmates,
either by sneezing on them
or by smearing snot all over them
or by not washing their hands after they wipe themselves.
And this actually is a good thing,
because they pass the immunity on to their friends.
That's called herd immunity.
So that lack of control can be good.
Number two is recognition difficulty,
and this argument is that,
well, our scanners won't be able to tell
your good virus from a bad one.
But that's what we want.
We want an immune response
from the world antivirus software.
That's how it's going to work.
Number three is resource wasting.
And this argument says that
computer viruses waste CPU and memory.
They're just a waste of time and money.
But actually that can be a good thing.
For example, how many of you have had a flu shot?
I'm sure most of you have had a flu shot at some point.
What happens after you get a flu shot?
How do you feel the next day?
You feel sick.
A lot of times you'll get a sore throat or a fever.
And the reason is,
when you fight this weakened, attenuated flu vaccine,
your body shuts down critical pathways
and strengthens others.
And so basically it's wasting your resources,
but in the end you end up being immune to influenza,
which is a good thing.
So that takes care of that argument.
Next, number four is bug containment.
And the AVs argue that
badly written viruses spread software bugs.
But we know that software bugs are ubiquitous.
They're everywhere anyway.
That's not really a big issue.
And this is just one more argument
for an open source model.
Next is compatibility problems.
And this is the AVers argue that,
well, your virus vaccine will set off
all our checks on monitors and integrity checkers.
But again, we want that.
We want to do that in an attenuated fashion
before it becomes a real problem.
Next is effectiveness.
And the argument here is that you should use
some kind of emulator or simulator.
You shouldn't infect the total system.
You should stop it at a firewall or a sandbox.
But again, we know from examples from medicine
like the polio vaccine,
really getting the full replicating code in your system
is the best way to really test it and strengthen it.
Just continuing, the last six.
Unauthorized data modification states
that it's illegal to modify someone else's system
or attack someone else's system.
But again, this just argues for,
it needs to be done probably by a central agency.
We all let doctors inject us with deadly vaccines
when we get vaccinations anyway.
We permit that.
In fact, we embrace it.
So a society will embrace this with time.
Next is copyright and ownership problems.
And this is not a big argument.
It says that basically viruses can void copyright contracts
but again, the government could indemnify you from this
and say that if you're infected with our vaccine,
then that's not going to affect your copyright at all.
Next is possible misuse.
And this argument says that,
it argues that while virus writers will use our good vaccine
to spread viruses,
but this is kind of silly because a virus writer
could write a much better virus himself or herself.
He doesn't want to use a weakened or attenuated vector.
Next is responsibility.
And this states that we should not give any excuse
to these, quote, juvenile virus writers.
We don't want them to, if we do this,
then they're going to say,
well, I was just writing a virus to save the world.
I was just trying to help people.
But those of you who heard Sarah Gordon talk at DEF CON here last year,
she spoke on the ethics of virus writers
and she talked about a cycle where virus writers
start out at a low ethical cycle sometimes
and progress through to higher levels of ethics,
but that there's always a continuing cycle.
There will always be people releasing viruses
without the need for an excuse.
So I think this whole argument is kind of irrelevant.
The last two are closely related,
and they talk about negative common meaning and trust problems.
And what this says is that people will never trust the idea of a virus.
The word virus is just too nasty.
It's too evil.
We're never going to accept it in society.
But I think if we look back to our medical vaccines,
we see that in time people will embrace it.
Now, one of my colleagues who heard me practicing this talk suggested that,
well, why don't you just change your virus,
learn from the FBI and change the name of your virus to DCS-1000
or something like they did with Carnivore.
And I don't know.
Do you guys watch the whole FBI Carnivore issue?
They've changed the name to DCS-1000 as far as I know
in a public relations move,
but that didn't help them too much.
In conclusion,
we've shown that viruses are needed to stabilize global networks
and to prevent the collapse of civilization.
And we've proposed an open-source, international,
attenuated computer virus vaccine.
And we've shown that it's not only possible,
but that it's inevitable if we want to prevent the collapse of society.
And for those of you that are new to DEF CON
or who are new to hacking or security,
let me make a shameless plug for my book.
It's called Windows Internet Security, Protecting Your Critical Data.
And it's going to be published by Prentice Hall this fall.
And it's basically a very gentle introduction to hacking
and if you've never done a buffer overflow
or you don't understand what such things are,
I recommend you get this book
before jumping into hacking exposed or something more advanced.
And I was asked to announce that coming up after this talk,
we have a talk by Little Elam,
I hope I'm pronouncing that right,
on renegade wireless networks.
And then after that, in this room,
there's going to be a talk by the famous
Robert Graham, the Chief Technology Officer of Network Ice.
He was scheduled to speak yesterday.
So if anyone missed, came to that talk and was disappointed,
stick around for the talk in an hour
and that's going to be really good.
And what I'm going to do now is open the floor up to questions.
Yes, we have a question back here.
Okay.
We have a question saying,
how do we attenuate the virus,
you know, lowering the number of vectors and things like that?
And basically this is going to be up to a lot smarter people
such as yourselves.
For example, think back to the Melissa virus.
Those of you who studied Melissa know that it had
a certain number of vectors,
like it infected the first 50 people on your Outlook contact list.
But once you got it, you're immune to it.
It conferred immunity.
It does not reinfect you.
So in a way, it had kind of a vaccinating,
immunizing property to it.
If you wanted to create a vaccine,
you might try reducing the number of vectors,
making it two or three, for example.
And that way, or even give a time delay,
saying that it couldn't spread that fast,
maybe one email every hour or every six hours.
That way, you wouldn't shut down the whole internet
within a couple days.
You'd still get the immunity,
but nobody would notice.
It'd just be a minor infection.
Did that answer your question?
Yes, question here?
What's the good virus going to do?
Is it going to provide immunity against other viruses,
or is it just going to take their antivirus off?
Could you?
Come up and use the mic.
I have a wireless mic, actually.
I don't know if it works.
So what's the good virus going to do?
Is it going to provide some immunity,
or is it going to just induce people
to upgrade their antivirus software?
Well, thanks.
I think you've answered my question for me.
It's probably the most important effect
I can see right off the bat is it'll raise awareness.
And that in itself confers a lot of immunity
because, I mean, if you ask somebody off the street,
they probably have never updated
their antivirus software ever,
you know, since they put their computer up.
And that may be three, four years out of date.
We're talking about normal people.
We're talking about people off the street.
And most of us, I mean, probably a lot of us
don't even update it every two weeks
or every month or so.
So in one way it can raise awareness,
but we're hoping it'll have a lot more impact
that we can't even foresee.
So how's that going to stop another global killer
like I Love You?
That's another excellent question.
And the only thing I can foresee is exactly
what's going to happen.
a lot of these new, new examples from medicine.
What we do in, what the doctors do in medicine
is they research what viruses are coming from Asia
or Taiwan in the summer months.
They create a vaccine.
They quickly synthesize big vatfuls of it,
and they distribute that.
By the time the virus makes it over from Asia,
they've already got these samples ready.
It's obviously in computers.
And maybe a system like IBM's would help in that situation
where it could be done automatically in the wild.
But I feel personally that it's going to be done
by people who actually are fanatics about viruses.
They scour the news groups,
and they know what's up and coming.
There's always going to be some that slip through the cracks,
just as in medicine.
Does that answer your question?
Okay.
Question right here.
Oh, I'm sorry.
You were first.
You were discussing the paternalistic model
where you think this government is a good vehicle
to create and distribute these.
Okay.
Well, with our economy,
based on the way it is,
and a government that's protective of its economy
as well as its military preeminence of the world,
how do you figure our government is going to be benevolent enough
to put something out there to help everybody
and put us on an equal footing?
Okay.
The question is we proposed that the virus be released
by the government.
I don't know that that's the best answer,
but I think that's probably the only answer,
and that's the paternalistic model.
Pardon?
Will we trust the government to do the right thing?
Will we trust the government?
Okay.
So there's two questions.
One is why would we think the government would help us
because they're spending money building up their military
and things like that?
To be honest,
I don't know that the government in its present state
would be able to do that.
And, again, I think it would have to be a world body.
I think we're talking about the federal government
in the future when we'll have a more world-encompassing government.
And that's one of the things I really believe in
is that in the future we'll have a more world-embracing government.
We won't have these petty, power-hungry individual governments
that don't really care as much.
And your question, again, was?
Oh, I just . . .
. . .
. . .
. . .
. . .
The question is how can we trust the government
to do the right thing and to do it quickly enough?
The reason that's a good question
is because if any of you work for the government
or have dealt with the government,
it's a huge bureaucracy.
And basically we're talking about years and decades
before things . . .
I'll get to your question next.
. . .
get done. And I don't have a good answer to that, but I can say that with groups like the World
Health Organization, where those groups are actually much better. If they have the money
and resources, for the resources they have, they do a really good job, for example, eradicating
smallpox. Now, that's a government organization, but that's a really good example of one. So
it may be possible, but like you said, it's hard to trust the government. And I think open source
will help a lot. I mean, that's one thing we can lobby for, is for open source. You, and then a
question over here.
Okay, the question is, can I explain why replication or the actual, the viral
life-saving, the viral life-saving, the viral life-saving, the viral life-saving, the viral
cycle, the thing that Bruce Schneier said is always bad, how can that possibly be good, as
opposed to just a controlled environment where, for example, administrators update their scanning
software? Okay, it kind of happens automatically. And I'm not sure I can justify that, except
through the analogy again. I don't have a working model. That's what we're going to be working on
in the next year. Hopefully, we'll have something by next year. I don't have a working model.
And if anyone here is a really good coder, please talk to me, because we're going to need a lot of help
building this. I think we had a question. Yes.
I have a statement. You were saying that viruses have a negative connotation. I would draw more
parallels between there and the viruses that are used as a vector to put in beneficial
genes in addition to start to engineer viruses to add to the health.
Excellent. I hadn't even thought of that. And the statement was that you can look at it from a genetic
engineering perspective. And in genetic engineering, you often use viruses as vectors. I can tell you're
a molecular biologist. Physicist. Okay, close enough. But that's a good way to put it. I'm just
teasing you. But you're probably in a better industry than the molecular biologists right now,
because those guys are having trouble getting jobs.
We'll bring back here, and then we'll come up to you.
I'm not worthy. We have Sarah Gordon here in the audience.
Okay.
Okay. Well, the correction was from the
legendary Sarah Gordon, who I'm actually quite humbled is actually here in this talk.
And the correction she made was that the AV community doesn't necessarily hate virus writers.
And for me to make that statement was a stereotype, and I apologize. So is that acceptable?
Thank you. Thank you. I'm sorry. We have one here, and then, sorry, I'm missing you.
Let's do yours, and then...
A few recent months, a computer virus was written that actually went out
and updated all the mind servers on the internet to protect them from their vulnerabilities.
And the only flaw with that virus was that it had a back door in it.
And later, the virus started to get into the system. Do you have any comments on that virus?
Do you think that's close to what you're thinking about, or is that a totally different...
And do you know who wrote that? Okay. Most of you probably do. The question was that, Aaron,
the question was that there was recently a virus that went through and fixed the bind vulnerability.
Basically, it was a worm that did kind of exactly what we're talking about here.
The only flaw with that is that it left a back door in all the systems it infected.
And it was released in the Department of Defense. And I believe the person who wrote that has just started their jail term.
Unfortunately, I believe that was written by Max Vision, who is quite famous in this circle.
The irony of that is in the future, the government will probably be coming to him for help on how to write this vaccine.
Because he actually did it. He wrote a worm that went through and immediately patched this vulnerability,
which was a huge vulnerability for the Department of Defense.
The only problem is he did it without permission.
And what the heck, by the way, he put in a back door on every system of the Department of Defense.
So he had the right idea.
But I hope you all go about it in a way that doesn't get you arrested.
We had a question here and then back.
This immunization is going to be open source. What's going to stop somebody from just leaving and putting in some nasty payload?
Okay, the question is, if this is going to be open source,
what's going to stop someone from taking what we've got and putting in a nasty payload?
And again,
Excellent question. I may be wrong here, but from the virus writers that I know,
to me, a lot of them are real geniuses.
And they can often go beyond what society or even the best programmers that I know can write.
So I think they can personally do even better.
I'm not really referring to the general community.
I'm referring to the script-kidding virus community that just wants to go to the generators that we don't actually work for.
Okay.
Okay.
The question is, what's to keep script-kiddies from downloading this code, compiling it,
and then releasing it before it's available?
And I don't have an answer to that yet.
But hopefully by next year I will.
Question here, and then we're about to wrap up.
So let's take a question here.
I'm still failing to see your logic of how you're potentially infecting using one virus to...
Okay.
Okay.
And I'll get his question and then yours.
The question is, we have a...
What's the logic of having a virus that just confers immunity to one organ?
When antivirus can do it automatically and much more efficiently?
Is that your question?
And you may be right.
There's no guarantee that this would ever work.
It's all hypothetical.
But perhaps a combination of two.
And the thing I'm trying to present that I think will be the most important is the actual power of replication.
And from what we've seen in medicine, it can be very powerful and useful.
But it may be that we have to really harness it into...
Into an antivirus system such as one that IBM or other companies have developed.
So you may be totally right.
I may be totally wrong.
We'll see.
I have access to statistics about how many viruses are...
I'm sorry.
Can you speak up just a little bit?
I have access to quite a lot of statistics about how many viruses are infecting us.
And it's not just the names that are given out to the world.
It's probably because they're broken by others.
And various people from the region.
And after something like ILOVU comes out, there is a need to do a general overall level of virus activity in the next month.
However, I don't think it would be important to get that by being infected in the first place.
And by your definition, probably 90% of viruses are in the region.
90% are already...
Pardon?
I mean, by your definition of a virus which is probably one vector, no payload.
Most viruses are one vector.
But you can't say to somebody, well, this virus has one vector.
You have no payload.
They won't want that.
Okay, that's a very good point.
And what he mentioned that...
First of all, after there's a big infection like ILOVU...
You said statistically there's a dip in the number of viruses for the next few weeks or months after that.
And so that may kind of be supportive of this whole theory.
But at the same time, you said people will...
People don't want that ILOVU virus in the first place.
They're never going to accept the idea of a computer virus in the first place.
They don't want the infection even if it gives them that dip.
Is that...
Yeah, I'd say that most corporates, they don't want to stop the virus.
Most corporations don't want to stop getting viruses by getting viruses.
And again, you may be perfectly correct.
This is just a theory that is coming from medicine, which is my background.
Yeah, yeah.
Are you in medicine then?
Okay, so this is a genetic engineer.
We have a physicist.
I'm actually a medical doctor myself.
That's my background.
So that's kind of how I'm coming from it.
Bringing that...
Now, there's a last question, I guess.
Would you say to a degree that virus is already doing pretty much what you're focusing on?
In the last 10 years, has technology and technology and practices increased to such a degree that it renders more than 90% of viruses?
So the comment was, wouldn't you say that viruses are already doing what I have proposed up here?
In the last decade, viruses have caused a resultant upsurge.
And antivirus technology, which has effectively gotten rid of most viruses and given us a great degree of protection.
Is that...?
Oh, yeah.
And also the methodology.
I mean, like when the first VBS script virus came out, most of the big corporations started blocking the VBS script.
Okay.
Because it was an unnecessary type of traffic.
And in a sense, that one virus caused most major corporations to target themselves against the whole world.
Okay.
And so he pointed out the first VBS script virus already did this.
It caused corporations to block VBS or to update their systems in a way to protect from it.
So you're perfectly correct.
This is already happening.
And I think if it weren't for the viruses that have already been written and the resultant antivirus community, society would be geared up for a big collapse.
Just like the Native Americans and smallpox.
They were wiped out overnight.
So I think...
I think the viruses we've had that have infected us have actually been really good for us.
They've given us an innate built-in immunity.
And the last question is right here.
It seems to me kind of like your idea would be...
I think that perhaps like bringing a bomb onto a plane, blowing up a plane, and then saying,
here, for security, it's better to keep it from blowing up planes.
So it's a good thing.
Or maybe not blowing up the plane, but seeing the bomb on the plane going,
ha-ha, we'll blow you up.
We better have better security.
It seems kind of like most people really think that's bad.
Okay.
Then the...
Probably the best point of the day...
is that the gentleman suggested that the proposal here
is kind of like bringing a bomb to an airport and blowing it up
and saying, well, that's going to improve airport security.
Why don't we go blow up some airports?
That's going to increase their defenses.
Point taken.
And again, this is...
Like you say, this is probably an extremely radical idea.
And I think A.V. will be violently opposed to it.
May never accept it.
And what I've tried to do is kind of bring what I've learned from medicine
to this technology.
And remember back in the early smallpox vaccine days, people, you know,
if they told you they were going to immunize you,
you'd either kill them or run away.
You didn't want that vaccine.
I think that's probably where we're going to be at the beginning.
So very good point.
And you've really got to the heart of the matter.
Well, thank you.
Thank you all for coming.
I'll be around if any of you have any questions or comments.
